Malware is short for malicious software and is used as a term to refer to any software designed to infiltrate or damage a computer system without the owner's informed consent. Malware can include computer viruses, worms, trojan horses, rootkits, and spyware. In order to prevent problems associated with malware infections, many end users make use of anti-virus software to detect and possibly remove malware. In addition, anti-virus software is often also used to detect any other potentially unwanted programs (PUP). A PUP is a program that may be unwanted, despite the possibility that users consented to download it, often downloading the program in conjunction with a program that the user wants. PUPs can include spyware, adware, scareware, and scamware.
In order to detect a malware or PUP file, the anti-virus software must have some way of identifying it amongst all the other files present on a device. Typically, this requires that the anti-virus software has a database containing the “signatures” or “fingerprints” that are characteristic of individual malware or PUP files. When the supplier of the anti-virus software identifies new malware or a new PUP, the program is analysed and its signature is generated. The malware or PUP is then “known” and its signature can be distributed to end users as updates to their local anti-virus software databases.
Using approaches that solely rely on signature scanning to detect malware still leaves computers vulnerable to “unknown” or “zero day” malware programs/applications that have not yet been analysed for their signature. To address this issue, in addition to scanning for malware or PUP signatures, most anti-virus applications additionally employ heuristic analysis. This approach involves the application of general rules intended to distinguish the behaviour of any malware or PUP from that of clean/legitimate programs. For example, the behaviour of all programs/applications on a PC may be monitored and if a program/application attempts to write data to an executable file, the anti-virus software can flag this as suspicious behaviour. Heuristics can be based on behaviours such as API calls, attempts to send data over the Internet, etc. However, due to the ever increasing and ever changing nature of malware, these heuristic detection methods are not sufficient to detect all unknown malware.